The Nigeria Data Protection Act 2023 (NDPA), is Nigeria’s main data protection legislation. The NDPA was enacted and came into effect on June 12, 2023.

The NDPA creates the Nigeria Data Protection Commission (the Commission) as an independent body with the mandate to amongst other things register data controllers and processors of major importance, create regulations, rules, directives, and guidelines as needed for the NDPA’s implementation, as well as prescribe the fees that data controllers and processors must pay in relation to data processing operations.

Section 44 of the NDPA requires data controllers and data processors of major importance to register with the NDPC within six months after the commencement of the NDPA or on becoming a data controller or data processor of major importance.

Based on this, the NDPC on February 14 2024 issued the Guidance Notice titled ‘Registration of Data Controllers and Data Processors of Major Importance’ to provide guidance with respect to the registration process, requirements, timeframe, and consequences of non-compliance.
Criteria for designation as data controllers and data processors of major importance

An organisation that meets the following criteria, is considered by the NDPC to be a data controller and data processor of major importance:

Where the organisation is deemed to have particular value or significance to the economy, society or security of Nigeria and keeps or has access to a filing system (whether analogue or digital) for the processing of personal data and satisfies any of the following conditions: processes the personal data of more than 200 data subjects in six months; or carries out commercial Information Communication Technology (ICT) services on any digital device which has storage capacity and belongs to another individual as well as processes personal data as an organisation or a service provider in anyone of the following sectors namely: Financial; Communication; Health; Education; as well as, Insurance; export and import; aviation; tourism; oil and gas; and electric power.

Where the organization is under a fiduciary relationship with a data subject by reason of which it is expected to keep confidential information on behalf of the data subject taking into consideration the significant harm that may be done to a data subject if such organisation is not under the obligations imposed on data controllers or processors of major importance.
Classification of data controllers and data processors of major importance

The NDPC classified data controllers and data processors of major importance into three categories of data processing; Major Data Processing-Ultra High Level (MDP-UHL), Major Data Processing-Extra High Level (MDP-EHL), and Major Data Processing-Ordinary High Level (MDP-OHL)

Major data processing-ultra high level (mdp-uhl):
Amongst other compliance obligations, organisations that fall within this category will be required to ensure adherence to global and highest attainable data protection standard. The fee payable by such organisations is the sum of N250,000.

Organisations that come under this category include commercial banks operating at the national or regional level, telecommunication companies, insurance companies, multinational companies, oil and gas companies, Electricity distribution companies, Public social media app developers and proprietors, public e-mail App developers and proprietors, Communication devices manufacturers, Payment gateway service providers and any organization that processes personal data of over N5,000 data subjects in six months.

Major data processing-extra high level (mdp-ehl): Amongst other compliance obligations, organisations in the MDP-EHL category are required to ensure that their data processing operations are carried out in accordance with data protection global best practice. Registration under this category attracts a fee of N100,000 (one hundred thousand Naira).

Organisations under this category include microfinance banks, higher institutions, hospitals providing tertiary or secondary medical services, mortgage banks any organisation that processes personal data of over 1,000 data subjects within six months.
Major data processing-ordinary high level (mdp-ohl):

Organisations under the MDP-OHL category like the first two categories, are required to carry out their data processing operations in accordance with data protection global best practice, amongst other compliance obligations. The registration fee applicable to this category is N10,000.

Organisations here include small and medium-scale enterprises, primary and secondary schools; primary health centers, agents/contractors and vendors who engage with data subjects on behalf of other organisations that are in the category of MDP-UHL and MDP-EH and any organisation that processes personal data of over 200 data subjects within six months.
Registration timeline

The guidance notice provides that all existing data controllers and data processors meeting the registration threshold are to register with the NDPC between 30 January, 2024 and 30 June, 2024. Data controllers and data processors that register after the due date or fail to register, may face regulatory sanctions under the Act.

In conclusion, to ensure compliance and avoid regulatory sanctions under the Act, it is crucial for all organisations that qualify for registration to commence the process of registration as data controllers and data processors of major importance under the appropriate tier classification as soon as possible.
Akagu is an Associate at CLP Legal.